On May 15, 2026, the decentralized cross-chain liquidity protocol THORChain once again found itself in the spotlight - multiple security agencies nearly simultaneously detected abnormal cross-chain asset movements, which were initially determined to be suspected attacks or exploitation events. Preliminary assessments disclosed by PeckShield indicate that the loss caused by this incident is approximately between $7.4 million and $10 million, with no unified figure available yet. More aggressive third-party analyses have even suggested that it may exceed $10 million, but this remains to be verified. On-chain traces show that this incident spanned four networks: Bitcoin, BNB Chain, Ethereum, and Base, with at least about 36.75 Bitcoin transferred to an address starting with bc1ql4u94klk265lnfur2uj, which is considered a key anchor point for this event. For a protocol that focuses on “native asset cross-chain trading," such a multi-chain resonant attack is particularly glaring - especially since THORChain had already suffered losses multiple times due to security issues in 2021, and the recurrence of cross-chain security failures not only reopens old memories for long-time users but also brings the long-standing debate about cross-chain architecture risks back to the forefront.

Simultaneous Multi-Chain Breach: Distribution of Stolen Assets

From current publicly available statistics, this attack appears more like a “tear” of asset breaches across multiple public chains at once. The total loss range indicated by security agencies roughly falls between $7.4 million and $10 million, yet there has yet to be a unified figure recognized by all parties. What is relatively clear is that according to PeckShield, about 36.75 BTC was stolen during this incident, estimated to be around $3 million at the time, with at least a portion transferred to an address starting with bc1ql4u94klk265lnfur2uj, thereby regarded as the core anchor asset of this attack, with approximately 36.8 BTC on-chain linked to it.

If the BTC part is viewed as the visible tip of the iceberg, the remaining approximately $7 million in losses is dispersed across the BNB Chain, Ethereum, and Base networks, with specific asset compositions not fully disclosed. Third parties such as ZachXBT, Solid Intel, and Wu Blockchain have speculated based on on-chain data that total losses could exceed $10 million, with some sources noting that Arkham has labeled certain addresses as “THORChain Exploiter,” mentioning a combination of assets linked to the Ethereum address 0x82fc0d5150f3548027e971ec04c065f3c93154eb, but these higher loss estimates and address labels are currently in a "to be verified" state, suggesting that the true upper limit of losses associated with this attack and the multi-chain distribution still contains significant statistical errors and areas of uncertainty.

Old Wounds Unhealed, New Pain: THORChain's Security History

Even estimating the upper limit of losses from the current attack at $7.4 million to $10 million, it does not represent a blank slate in THORChain's security narrative, but rather feels like a new page in an old file. As early as around 2021, this cross-chain liquidity protocol allowing users to directly exchange native assets across multiple public chains had already encountered multiple security incidents leading to asset losses during its operations, at that time, risks exposed by cross-chain asset custody and contract logic had sparked prolonged debates within the community over its security framework. Now, years later, after once again being monitored by multiple security agencies for suspected attacks or exploit events, this “recurrence” naturally brings back memories to the timeline of 2021, reminding the market that the shadows of that year have never completely dissipated.

From a design perspective, THORChain has chosen a narrow road where risk and efficiency overlap: to facilitate the matching of native assets across Bitcoin, BNB Chain, Ethereum, and Base requires making structural trade-offs between cross-chain asset custody and inter-chain state mapping, and elements like cross-chain bridges and multi-chain asset custody have repeatedly become targets in several recent DeFi security incidents. In this context, the single attack loss estimated at around $7.4 to $10 million, viewed as a medium-to-high level DeFi attack loss, does not constitute the “largest crime scene” in industry history, yet it adds a significant annotation to THORChain's existing security record. Especially since the official sources have yet to disclose specific technical reasons or types of vulnerabilities; this annotation points more toward an unresolved structural hazard that has not completed its self-repair.

Why Cross-Chain Bridges Are DeFi's Soft Underbelly

From THORChain’s design perspective, it does not pool funds on a single chain but simultaneously manages asset pools across Bitcoin, BNB Chain, Ethereum, and Base, aligning these native assets through cross-chain logic. With each additional chain, a new set of asset custody addresses and a new set of state synchronization rules are introduced, expanding the attack surface. During this incident, all four public chains exhibited abnormal outflows, with stolen BTC ultimately concentrated at an address starting with bc1ql4u94klk265lnfur2uj. On the surface, this is merely an on-chain anchor point; however, it encapsulates the process of aggregating multi-chain assets along the same attack path, inherently indicating a potential weakness in cross-chain interaction stages. As current public materials have not disclosed specific technical details, whether the attack occurred in a particular contract module, asset custody process, or cross-chain verification mechanism remains "to be confirmed," with any finer technical attribution currently being mere speculation.

In broader DeFi narratives, cross-chain bridges have long been viewed as a concentration zone for systemic risks. In the past few years, multiple major security incidents have involved cross-chain bridges or multi-chain asset custody. In this background, THORChain's re-emergence of issues is difficult for the market to perceive as an accident. For users and institutions needing to deploy funds across multiple chains, each similar attack deepens a tangible understanding: cross-chain protocols exist in the gaps of different ledgers, lacking complete security guarantees from any underlying chain while shouldering multiple responsibilities of state synchronization, asset custody, and complex contract interactions. If any one link possesses a structural shortcoming, the entire cross-chain path could be torn open anew, and THORChain’s incident seems more like an annotation to the existing thesis of “cross-chain bridge vulnerability” rather than a case that can be easily classified as an isolated anomaly.

Alarm Sounds Again: Market and Community's Security Anxiety

As soon as the incident was discovered, PeckShield immediately issued a warning on social platforms and security monitoring channels, naming THORChain as having possibly encountered an attack, and provided an estimated loss range of around $7.4 to $10 million, noting that approximately 36.75 BTC and multi-chain assets were stolen. Subsequently, several Chinese media outlets including Odaily Planet Daily, Jinse Finance, and PANews quickly quoted this data for reporting, pushing the narrative of “multi-chain impact, losses in the tens of millions” to a broader audience, with preliminary assessments from security agencies completing a rapid transmission loop from on-chain monitoring to the Chinese community public opinion field within hours.

However, alongside the emotional escalation, there still exist noticeable “gray areas” in the information itself. There are claims that Arkham has labeled related entities as “THORChain Exploiter”, estimating their combined assets to be around $6.5 million; others mention that some of the stolen funds might have flowed into the Ethereum address 0x82fc0d5150f3548027e971ec04c065f3c93154eb, involving about 216 ETH and BNB, and that THORChain may have already suspended some functionalities and taken emergency measures. These details currently appear only in a few sources and have not formed a cross-validated consensus. For a community that has experienced multiple security incidents in 2021, this cross-chain incident naturally amplifies risk expectations towards similar protocols yet, before THORChain's official detailed technical report is provided, the best that the market can do is perhaps accept, while remaining vigilant, that current circulating on-chain markings, specific paths of stolen funds, and precise loss figures are more likely working hypotheses under further confirmation rather than established conclusions.

What to Watch Next: Can Cross-Chain Security Catch Up?

While on-chain anchor points and third-party tracking remain at the “working hypothesis” stage, this incident truly reinforces an old adage: cross-chain security is always a systemic shortcoming. Particularly by May 15, 2026, as THORChain officials have yet to publicly disclose a detailed accident report or a complete statement, and the technical causes and accountability of the attack remain unresolved, the variables that are most worth monitoring moving forward are how the project team will craft this “after-action answer”: whether they will disclose vulnerability details and repair pathways, propose compensation or reimbursement schemes, and how willing they are to “lay all cards on the table” regarding architectural design and risk control levels. For the broader DeFi cross-chain protocol space, this incident is almost destined to become a typical case of cross-chain attacks, entering discussions among regulators and industry organizations about cross-chain bridge security, while subtly rewriting the risk preferences of users and institutions. The greater challenge is whether the entire DeFi cross-chain protocol community can treat this incident as a learning opportunity, realigning risk preferences and security baselines at levels acceptable for both regulators and users.

Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin on-chain: https://aicoin.com/hyperliquid
Exclusive Hyperliquid benefits from AiCoin: https://app.hyperliquid.xyz/join/AICOIN88
Exclusive Aster benefits from AiCoin: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。